From the article: “compliance programs often fall over under real-world threats.” Just about every major breach of payment system that gets publicised is of an organisation that is ‘PCI compliant’ However, PCI compliance should be seen as only a part of a full security and privacy program. It seems that we are failing even to do that…:
Payment security has deteriorated for the second consecutive year in the Americas as only 1 in 5 companies meet compliance requirements, according to a Verizon report.
Verizon’s 2019 Payment Security Report found that full compliance with the Payment Card Industry Data Security Standard (PCI DSS) fell to 36.7% globally, down from 52.5% in 2018. PCI DSS was launched by Visa in 2004 and organizations were supposed to be in compliance within 5 years. Compliance improved gradually from 2010 to 2016 and then started to decline. The lack of payment compliance raises a lot of security issues. Companies in Asia-Pacific have the highest compliance with PCI DSS standards with 69.6% at full compliance with 48% in Europe, Middle East and Africa. In the Americas just 20.4% have full PCI DSS compliance.
Part of the issue is that complying with PCI DSS is largely about showing controls on paper for data and privacy protection, but compliance programs often fall over under real-world threats.